Jailbroken iPhones In Danger From KeyRaider Malware

Data from 225,000 jailbroken iPhones is out in the open after a cyber-security researcher uncovered malware called KeyRaider. The vulnerability only applies to iPhones that have been jailbroken, so the average iPhone user has nothing to worry about.

Jailbroken iPhones: Stolen account data found

Palo Alto Networks discovered the KeyRaider malware and a collection of data that was stolen from 225,000 accounts. All that data came from jailbroken phones, and then independent Chinese group WeipTech reported told the National Internet Emergency Centre in China that it had found all that stolen data.

The Chinese group also emailed Apple CEO Tim Cook (and published that email on Weibo) about the KeyRaider vulnerability and put up a website to allow people who have jailbroken their iPhones to see if their data was stolen.

Mostly Chinese affected by jailbreak vulnerability

Palo Alto Networks identified 92 samples of the iOS malware, which mostly has impacted Chinese users of jailbroken iPhones. The cyber-security research firm reports that KeyRaider is being distributed through “third-party Cydia repositories in China.” In addition to China, Palo Alto Networks believes users of jailbroken iPhones in the U.S., the U.K., Canada, France, Japan, Italy, Russia, Germany, Spain, Australia, Israel, South Korea, and Singapore may also have been affected by the malware.

KeyRaider works by hooking onto system processes using MobileSubstrate to steal the user names, passwords and device information off the devices. To gain access to this information, the malware then intercepts iTunes traffic on the jailbroken iPhone, also stealing push notifications service certificates, private keys and App Store purchasing details. Further, KeyRaider disables both remote and local unlocking functions on the affected devices.

What hackers wanted to accomplish

According to Palo Alto Networks, it appears that the hackers were stealing this information so that they could download apps from Apple’s App Store and make in-app purchases without having to pay for them. The hackers were specifically using two iOS jailbreak tweaks. Both tweaks steal purchase requests for apps, and then download account information or receipts for those purchases. Then they essentially log into the App Store and to steal apps or make in-app “purchases” without paying for them.

Some iPhone users whose account information was hacked report unusual app purchasing histories. Others say the hackers have locked up their devices and are demanding a ransom to have them unlocked.